b'OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE\nINTER-AMERICAN\nFOUNDATION\xe2\x80\x99S FISCAL YEAR\n2011 COMPLIANCE\nWITH THE FEDERAL\nINFORMATION SECURITY\nMANAGEMENT ACT OF 2002\n\nAUDIT REPORT NO. A-IAF-12-001-P\nOCTOBER 21, 2011\n\n\nWASHINGTON, D.C.\n\x0cOffice of Inspector General\n\n\nOctober 21, 2011\n\n\nMr. Robert N. Kaplan, President\nInter-American Foundation\n901 North Stuart Street, 10th Floor\nArlington, VA 22203\n\nSubject:            Audit of the Inter-American Foundation\xe2\x80\x99s Fiscal Year 2011Compliance\n                    With the Federal Information Security Management Act of 2002\n                    (Report No. A-IAF-12-001-P)\n\n\nDear Mr. Kaplan:\n\nThe U.S. Agency for International Development (USAID) Office of Inspector General\n(OIG), Information Technology Division, is transmitting the final audit report prepared by\nClifton Gunderson LLP on the subject audit. In finalizing the report, we considered your\ncomments on the draft report and included them in their entirety as Appendix II. The\nreport does not contain any recommendations, and there is no additional action required\nby your office to address the report\xe2\x80\x99s finding.\n\nThe Federal Information Security Management Act of 2002 requires federal agencies to\ndevelop, document, and implement an agencywide information security program to\nprotect their information and information systems, including those provided or managed\nby another agency, contractor, or other source. The act also requires agencies to have\nan annual evaluation of their information security program and practices.\n\nIn support of the act\xe2\x80\x99s requirements, Clifton Gunderson LLP was engaged to conduct an\naudit to determine whether the Inter-American Foundation implemented selected\nsecurity controls for selected information systems. Appendix I contains a list of the\nselected security controls and information systems.\n\nThe audit concluded that the Inter-American Foundation (IAF) had implemented selected\nsecurity controls for selected information systems in support of the act. For example,\nIAF maintained an effective security-awareness training program for its employees,\nimplemented access controls over the organization\xe2\x80\x99s Enterprise Network and Grant\nEvaluation Management System, and established an effective continuous monitoring\nprogram. However, Clifton Gunderson LLP noted that IAF was not encrypting its data on\nbackup tapes to be transferred off-site. IAF personnel took immediate corrective action\nduring the audit to encrypt the organization\xe2\x80\x99s data on backup tapes. Because corrective\naction occurred before the completion of the audit, the report makes no recommendation\non this finding.\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cWe have evaluated your written comments and noted your agreement with our\nassessment that IAF implemented selected security controls in support of the Federal\nInformation Security Management Act of 2002.\n\nI appreciate the cooperation and courtesies extended to our contractor and my staff\nduring this audit.\n\n\n\n                                                  Sincerely,\n\n                                                  /s/\n\n                                                  Tim Cox\n                                                  Assistant Inspector General for Audit\n\n\n\n\ncc:       Vice-President of Operations\n          Director of Information and Management Systems\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0c                    Audit of the Inter-American Foundation\xe2\x80\x99s\n                               Compliance with the\n              Federal Information Security Management Act of 2002\n\n                                            Fiscal Year 2011\n\n\n                                             Final Report\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results...................................................................................................... 1\n\nAudit Findings ............................................................................................................... 3\n\n          Data Was Not Encrypted\n          On Backup Tapes ............................................................................................... 3\n\nEvaluation of Management Comments ........................................................................ 4\n\nAppendix I \xe2\x80\x93 Scope and Methodology ....................................................................... 5\n\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 8\n\x0cSUMMARY OF RESULTS\nThe Federal Information Security Management Act of 20021 (FISMA) requires agencies\nto develop, document, and implement an agencywide information security program to\nprotect their information and information systems, including those provided or managed\nby another agency, contractor, or other source. Because the Inter-American Foundation\n(IAF) is a federal agency, it is required to comply with federal information security\nrequirements.\n\nThe act also requires agency heads to ensure that (1) employees are sufficiently trained\nin their security responsibilities, (2) security incident response capability is established,\nand (3) information security management processes are integrated with the agency\xe2\x80\x99s\nstrategic and operational planning processes. All agencies must also report annually on\nthe effectiveness of their information security program and practices. In addition, the act\nmade the standards issued by the National Institute of Standards and Technology\n(NIST) mandatory for federal agencies.\n\nThe audit was performed in support of the FISMA requirement for an annual evaluation\nof IAF\xe2\x80\x99s information security program. The objective of this audit was to determine\nwhether the Inter-American Foundation implemented selected2 security controls for\nselected information systems in support of the Federal Information Security\nManagement Act of 2002.\n\nAt the time of the audit, IAF operated two information systems: the Enterprise Network\nand the Grant Evaluation Management System. The Enterprise Network provides the\ninfrastructure that supports mission-critical and mission-important applications as well as\nadministrative and minor applications for the IAF. The Grant Evaluation Management\nSystem tracks all grant activity for IAF.\n\nThe audit concluded that IAF had generally implemented selected security controls for\nits information security program. For example, IAF:\n\n    Maintained an adequate and effective security awareness and training program for\n    its employees including new employee orientation and annual refresher training.\n\n    Implemented adequate access controls over the Enterprise Network and the Grant\n    Evaluation Management System.\n\n    Established an effective continuous monitoring program.\n\nAlthough IAF had implemented many security controls over its information systems, the\naudit identified one weakness in the IAF\xe2\x80\x99s information security program. Specifically:\n\n    IAF was not encrypting data on backup tapes to be transferred offsite.\n\n\n1\n  Enacted as Title III of the E-Government Act of 2002, Public Law 107-347 (2002). Section 301\nof the Act added a new subchapter on information security to the United States Code at 44\nU.S.C. 3541-3549.\n2\n  See Appendix I for a list of controls selected.\n\n                                                                                            1\n\x0cHowever, IAF personnel took immediate corrective action to encrypt the data stored on\nits backup tapes. As a result, the report does not make any recommendations. The\ndetails of the finding are discussed in the following section.\n\nAppendix I contains details of the audit\xe2\x80\x99s scope and methodology. Appendix II contains\nIAF\xe2\x80\x99s comments in their entirety, and our evaluation of management comments is\nincluded in the report on page 4.\n\n\n\n\n                                                                                    2\n\x0cAUDIT FINDINGS\nData Was Not Encrypted\nOn Backup Tapes\nThe Inter-American Foundation was not encrypting its data on backup tapes prior to their\nbeing sent to the offsite facility.\n\nNational Institute of Standards and Technology Special Publication 800-53 Revision 3,\nRecommended Security Controls for Federal Information Systems and Organizations,\nsecurity control MP-4, \xe2\x80\x95Media Storage,\xe2\x80\x96 states the following regarding Information\nSystem Backups:\n\n   The organization:\n\n   a. Physically controls and securely stores [Assignment: organization-defined types\n      of digital and non-digital media] within [Assignment: organization-defined\n      controlled areas] using [Assignment: organization-defined security measures];\n   b. Protects information system media until the media are destroyed or sanitized\n      using approved equipment, techniques, and procedures.\n\n   Control Enhancement:\n   (1) The organization employs cryptographic mechanisms to protect information in\n   storage.\n\nIAF\xe2\x80\x99s Chief Information Security Officer (CISO) indicated that IAF had ceased encrypting\nbackups due to the extended time requirements and insufficient tape storage capacity\nfor full-encrypted backups to complete. Although the CISO stated that the IAF stores\ntape backup media in locked cases during transfer; this does not satisfy National\nInstitute of Standards and Technology media storage encryption requirements.\n\nBy not encrypting data on its backup tapes, IAF is at an increased risk that lost or stolen\ntapes may disclose sensitive data to unauthorized personnel. After noting this, IAF\npersonnel took immediate corrective action and re-enabled the encryption of data on\nbackup tapes. Moreover, IAF personnel indicated that they are seeking to procure a\nnew backup tape library with encryption-enabled drives and larger tape storage capacity\nto replace the existing unit, which they plan to implement by September 2011. As a\nresult of IAF\xe2\x80\x99s actions, the audit is not making a recommendation at this time.\n\n\n\n\n                                                                                         3\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nThe report does not contain any recommendations. In response to the draft report, the\nInter-American Foundation (IAF) concurs with the accuracy of our assessment that IAF\nimplemented selected security controls in support of the Federal Information Security\nManagement Act. IAF\xe2\x80\x99s comments are included in their entirety in Appendix II.\n\n\n\n\n                                                                                   4\n\x0c                                                                                     Appendix I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nWe conducted this audit in accordance with generally accepted government auditing\nstandards.3 Those standards require that we plan and perform the audit to obtain\nsufficient appropriate evidence to provide a reasonable basis for our findings and\nconclusions in accordance with our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nThis audit was designed by USAID\xe2\x80\x99s Office of the Inspector General (OIG), Information\nTechnology Audit Division, and performed by Clifton Gunderson, LLP to answer the\nfollowing question: Did the Inter-American Foundation implement selected4 security\ncontrols for selected information systems in support of the Federal Information Security\nManagement Act of 2002?\n\nAt the time of the audit, the Inter-American Foundation (IAF) had two information\nsystems: the Enterprise Network and the Grant Evaluation Management System. IAF\nalso used two systems operated by outside entities\xe2\x80\x94a payroll system operated by the\nDepartment of Interior\xe2\x80\x99s National Business Center (NBC) and a financial management\nsystem operated by the Department of Treasury\xe2\x80\x99s Bureau of Public Debt (BPD). This\naudit assessed selected controls on the two systems operated by IAF, evaluated 3rd\nparty independent reports (e.g., SAS 70, SSAE 16, IG reports), and the most recent\nservice level agreements of IAF\xe2\x80\x99s external service providers \xe2\x80\x93 NBC and BPD.\n\nThe audit was conducted at IAF\xe2\x80\x99s headquarters in Arlington, Virginia, from July 18\nthrough September 6, 2011.\n\nMethodology\nFollowing the framework for minimum security controls in National Institute of Standards\nand Technology (NIST) Special Publication 800-53, Revision 3, dated August 2009,\ncertain controls (shown in the table on the next page) were selected from NIST security\ncontrol families.5 We reviewed the selected controls over IAF\xe2\x80\x99s Enterprise Network and\nthe Grant Evaluation Management System.\n\nTo accomplish our audit objective, we interviewed key personnel and reviewed legal and\nregulatory requirements stipulated by FISMA. We also reviewed documentation related\nto IAF\xe2\x80\x99s information security program, such as security policies and procedures, system\nsecurity plans, and disaster recovery plans. In addition, we tested system processes to\ndetermine the adequacy and effectiveness of selected controls (listed in Appendix I).\nFurthermore, we reviewed the 3rd party independent reports and the most recent service\nlevel agreements of the IAF\xe2\x80\x99s external service providers (NBC and BPD). We also\n3\n  Government Auditing Standards, July 2007 Revision (GAO-07-731G).\n4\n  See Appendix I for a list of controls selected.\n5\n  Security controls are organized into families according to their security function\xe2\x80\x94for example,\naccess controls.\n\n\n                                                                                               5\n\x0c                                                                                      Appendix I\n\n\n   reviewed the status of FISMA audit report6 recommendations for FY 2010. We\n   determined that corrective actions have been taken on all prior audit recommendations.\n\n\n   SELECTED SECURITY\n   CONTROLS\n NIST\n                                                                             Enterprise\nControl                           Control Name                                               GEMS\n                                                                              Network\nNumber\nAC-1      Access Control Policy & Procedures                                      X\nAC-2      Account Management                                                                    X\nAC-5      Separation of Duties                                                                  X\nAC-7      Unsuccessful Login Attempts                                                           X\nAC-8      System Use Notification                                                 X\nAC-17     Remote Access                                                           X\nAC-19     Access Control for Mobile Devices                                       X\nAT-1      Security Awareness and Training Policy and Procedures                   X\nAT-2      Security Awareness                                                      X\nAU-1      Audit and Accountability Policy and Procedures                          X\nAU-9      Protection of Audit Information                                         X\nCA-1      Security Assessment and Authorization Policies and Procedures           X\nCA-7      Continuous Monitoring                                                   X\nCP-1      Contingency Planning Policy and Procedures                              X\nCP-2      Contingency Plan                                                                      X\nCP-3      Contingency Training                                                    X\nCP-9      Information System Backup                                               X             X\nIA-1      Identification and Authentication Policy and Procedures                 X\nIA-4      Identifier Management                                                   X\nIA-7      Cryptographic Module Authentication                                     X\nMA-1      System Maintenance Policy and Procedures                                X\nMA-2      Controlled Maintenance                                                  X\nMP-1      Media Protection Policy and Procedures                                  X\nMP-5      Media Transport                                                         X\nPE-1      Physical and Environmental Protection Policy and Procedures             X\nPE-6      Monitoring Physical Access                                              X\nPE-7      Visitor Control                                                         X\nPE-10     Emergency Shutoff                                                       X\nPE-12     Emergency Lighting                                                      X\nPE-13     Fire Protection                                                         X\nPE-14     Temperature and Humidity Controls                                       X\nPE-15     Water Damage Protection                                                 X\nPE-16     Delivery and Removal                                                    X\n\n   6\n    Audit of the Inter-American Foundation\xe2\x80\x99s Compliance With Provisions of the Federal Information\n   Security Management Act for Fiscal Year 2010 (Report No. A-IAF-10-003-P).\n\n\n                                                                                                6\n\x0c                                                                         Appendix I\n\n\nPE-17   Alternate Work Site                                          X\nPL-1    Security Planning Policy and Procedures                      X\nPL-4    Rules of Behavior                                            X\nPS-1    Personnel Security Policy and Procedures                     X\nPS-4    Personnel Termination                                        X\nPS-5    Personnel Transfer                                           X\nSC-1    System and Communications Protection Policy and Procedures   X\nSC-13   Use of Cryptography                                          X\nSC-28   Protection of Information at Rest                            X\nSI-1    System and Information Integrity Policy and Procedures       X\nSI-5    Security Alerts, Advisories, and Directives                  X\nSI-11   Error Handling                                               X\n\n\n\n\n                                                                                 7\n\x0c                                                                                         Appendix II\n\n\n\n\n                   Inter-American\n                   Foundation\n                                          An Independent Agency of the U.S. Government\n\n\n\nOctober 11, 2011\n\n\nTim Cox\nAssistant Inspector General for Audit\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, N.W.\nWashington, DC 20523\n\nSubject:        Comments on Audit Report of IAF Compliance with Provisions of the\n                Federal Information Security Management Act (FISMA) for Fiscal Year\n                2011\n\nDear Mr. Cox:\n\nThank you very much for sharing the draft report prepared by the USAID Office of the\nInspector General on the FY 2011 annual audit of the Inter-American Foundation\xe2\x80\x99s (IAF)\ninformation security program. The IAF has reviewed the report and concurs with the\naccuracy of your assessment that IAF implemented selected security controls for selected\ninformation systems in support of the Federal Information Security Management Act.\n\nI would like to take this opportunity to express our appreciation for the fine work and\nhigh level of professionalism of the USAID AIG team that conducted the FY 2011 audit\nof the IAF information assurance program. We were very favorably impressed with their\nmethodology and well-defined work plan, as well as their extensive technical knowledge\nof IT security, all of which contributed to the efficiency and thoroughness of the review.\nWe are continually seeking ways in which to further strengthen our security posture, and\nlook forward to our continued collaboration.\n\n\nSincerely,\n\n/s/\n\nRobert N. Kaplan\nPresident & CEO\n\n\n901 N. Stuart Street \xe2\x80\xa2 Arlington, VA 22203 \xe2\x80\xa2 Phone: 703-306-4301 \xe2\x80\xa2 Fax: 703-306-4369\n                                                                                                  8\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel: 202-712-1150\n            Fax: 202-216-3047\n           www.usaid.gov/oig\n\x0c'